A quick guide to PCI DSS v3.2

A quick guide to PCI DSS v3.2

By Natasja Bolton, Senior Acquirer Support

In order to assist you with navigating the updated standard we’ve prepared the following easy to reference Guide to PCI DSS v3.2. For a more in-depth review of PCI V3.2 we recommend reading the article PCI DSS v3.2 – What’s changed.


Guide to PCI DSS v3.2

Key Dates

PCI DSS v3.2 Effective from: Now
PCI DSS v3.1 Retired from: October 31, 2016

New Requirements

All new requirements are best practice until January 31, 2018

V3.2 Req No. Summary
6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
3.5.1 Maintain a documented description of the cryptographic architecture, including details of all algorithms, protocols, and keys used, description of the key usage for each key, inventory of any HSMs and other SCDs used for key management.
10.8 Implement a process for the timely detection and reporting of failures of critical security control systems, including firewalls, IDS/IPS, FIM, anti-virus, access controls and audit logging.
10.8.1 Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls to include restoring security functions, recording duration, root cause, remediation required, risk assessment and prevention of reoccurrence. If segmentation is used,

Confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

12.4.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program, including overall accountability for maintaining PCI DSS compliance, defining a charter for a PCI DSS compliance program and communication to executive management
12.11 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover: daily log reviews, firewall rule-set reviews, applying configuration standards to new systems, responding to security alerts, change management processes.
12.11.1 Maintain documentation of quarterly review process including documented results of the reviews, review and sign-off of results by responsible personnel.

Updates to PCI DSS Appendices

Appendix Status in v3.2 Usage
Appendix A1 No Change Additional PCI DSS Requirements for Shared Hosting Providers
Appendix A2 New Additional PCI DSS Requirements for Entities using SSL/early TLS

All testing procedures relating to SSL/early TLS have been moved from each of requirements 2.2.3, 2.3 and 4.1 to Appendix A2.

This appendix applies to entities using SSL/early TLS as a security control to protect the CDE and/or CHD

Appendix A3 New Designated Entities Supplemental Validation (DESV)

Additional assessment and validation applicable only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements

Appendix B No Change Compensating Controls

Explanation of the criteria for and usage of compensating controls

Appendix C No Change Compensating Controls Worksheet

Worksheet for defining compensating controls

Appendix D No Change Segmentation and Sampling of Business Facilities/System Components

Information on the effect of network segmentation and sampling on the scope of a PCI DSS assessment

New more flexible requirements

PCI DSS v3.1 PCI DSS v3.2
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.) 1.3.5 Permit only “established” connections into the network.


1.4 Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network.


1.4 Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.
3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.


3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.

Removed Requirements

Requirement Reason for Removal
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. This requirement’s intent is met through other requirements in 1.2 and 1.3


Clarifications of intent and implementation

The list below lists the key clarifications, updates and amendments to specific requirements and/or their associated guidance.  Please refer to the PCI SSC Summary of Changes from PCI DSS Version 3.1 to 3.2 for the complete list of updates to terminology, examples and guidance notes.

RequirementV3.2 Req No. Topic Comment
Multiple Payment Applications Additional references to / inclusion of payment applications.  Testing of payments applications is explicitly called out in many requirements, including Requirement 2.1 (change vendor defaults), Requirement 3.4.d (Render PAN unreadable anywhere it is stored: examine payment application logs), Requirement 6.2 (install critical patches within one month).
1.1.6 Firewall & Router Configuration Standards Now requires documentation of approval for use of all services, protocols, and ports allowed as well as business justification.
1.2.1. 1.3 Restricting connections between untrusted networks and the CDE Updates guidance clarifying intent of requirements as requirement 1.3.3 has been removed (see above)
3.4.1 Using disk encryption to render stored cardholder data unreadable Updated to confirm that this requirement applies in addition to all other PCI DSS encryption and key-management requirements (i.e. Requirements 3.5 and 3.6)
3.6.1.b Cryptographic Key Management Processes Updated testing procedure and guidance in relation to procedures for the generation of strong cryptographic keys
6.4.4 Change Control Processes and Procedures Clarification to requirement, testing procedures and guidance to ensure that test data and accounts must be removed from system components before they become active and /or go into production
6.4.5 Change Control Processes and Procedures Updated guidance confirming the intent is for change control procedures to apply to all system changes, including hardware or software updates and installation of security patches.
6.5 Software Development Processes Update to software developer training requirements; training must be up to date and at least annual
8.1.5 User identification management Organisations are now required to manage the IDs used by any third party (not just vendors, as in v3.1) to support, manage or maintain their system components via remote access.
8.3 Multi-factor Authentication All references to ‘two-factor authentication’ have become ‘multi-factor authentication’
9.1.1 Facility entry controls Updated to confirm that the requirement is for either video cameras or access control mechanisms (or both) to be used to monitor individual physical access
11.2.1 Quarterly internal vulnerability scans Clarified requirement to ensure that all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1).
11.3.4.c Segmentation penetration Testing Updates to confirm that a qualified internal resource or qualified external third party must be used to perform segmentation penetration testing, as is required by all other penetration testing requirements.
11.5.a Change-Detection Removed statement in testing procedure: ‘within the CDE, as in-scope systems and hence critical system files may be outside of the CDE itself.
12.6 Security Awareness Program Clarified that the intent of security awareness program includes awareness of cardholder data policy and procedures
12.8.1 Manage Service Providers Updated requirement requiring that the list of service provider must include a description of the service provided.
12.10.2 Incident Response Plan Annual incident response plan testing now requirement inclusion of all elements of the plan as specified in requirement 12.10.1.



For more information and full details of the PCI DSS v3.2 refer to:

PCI Data Security Standard version 3.2

PCI SSC Summary of Changes from PCI DSS Version 3.1 to 3.2

PCI SSC v3.2 Blog post


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below